Commit | Line | Data |
---|---|---|
973c9f4f | 1 | /* Manage a process's keyrings |
1da177e4 | 2 | * |
69664cf1 | 3 | * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved. |
1da177e4 LT |
4 | * Written by David Howells (dhowells@redhat.com) |
5 | * | |
6 | * This program is free software; you can redistribute it and/or | |
7 | * modify it under the terms of the GNU General Public License | |
8 | * as published by the Free Software Foundation; either version | |
9 | * 2 of the License, or (at your option) any later version. | |
10 | */ | |
11 | ||
12 | #include <linux/module.h> | |
13 | #include <linux/init.h> | |
14 | #include <linux/sched.h> | |
1da177e4 LT |
15 | #include <linux/keyctl.h> |
16 | #include <linux/fs.h> | |
17 | #include <linux/err.h> | |
bb003079 | 18 | #include <linux/mutex.h> |
ee18d64c | 19 | #include <linux/security.h> |
1d1e9756 | 20 | #include <linux/user_namespace.h> |
1da177e4 LT |
21 | #include <asm/uaccess.h> |
22 | #include "internal.h" | |
23 | ||
973c9f4f | 24 | /* Session keyring create vs join semaphore */ |
bb003079 | 25 | static DEFINE_MUTEX(key_session_mutex); |
1da177e4 | 26 | |
973c9f4f | 27 | /* User keyring creation semaphore */ |
69664cf1 DH |
28 | static DEFINE_MUTEX(key_user_keyring_mutex); |
29 | ||
973c9f4f | 30 | /* The root user's tracking struct */ |
1da177e4 LT |
31 | struct key_user root_key_user = { |
32 | .usage = ATOMIC_INIT(3), | |
76181c13 | 33 | .cons_lock = __MUTEX_INITIALIZER(root_key_user.cons_lock), |
6cfd76a2 | 34 | .lock = __SPIN_LOCK_UNLOCKED(root_key_user.lock), |
1da177e4 LT |
35 | .nkeys = ATOMIC_INIT(2), |
36 | .nikeys = ATOMIC_INIT(2), | |
9a56c2db | 37 | .uid = GLOBAL_ROOT_UID, |
1da177e4 LT |
38 | }; |
39 | ||
1da177e4 | 40 | /* |
973c9f4f | 41 | * Install the user and user session keyrings for the current process's UID. |
1da177e4 | 42 | */ |
8bbf4976 | 43 | int install_user_keyrings(void) |
1da177e4 | 44 | { |
d84f4f99 DH |
45 | struct user_struct *user; |
46 | const struct cred *cred; | |
1da177e4 LT |
47 | struct key *uid_keyring, *session_keyring; |
48 | char buf[20]; | |
49 | int ret; | |
9a56c2db | 50 | uid_t uid; |
1da177e4 | 51 | |
d84f4f99 DH |
52 | cred = current_cred(); |
53 | user = cred->user; | |
9a56c2db | 54 | uid = from_kuid(cred->user_ns, user->uid); |
d84f4f99 | 55 | |
9a56c2db | 56 | kenter("%p{%u}", user, uid); |
1da177e4 | 57 | |
69664cf1 DH |
58 | if (user->uid_keyring) { |
59 | kleave(" = 0 [exist]"); | |
60 | return 0; | |
1da177e4 LT |
61 | } |
62 | ||
69664cf1 DH |
63 | mutex_lock(&key_user_keyring_mutex); |
64 | ret = 0; | |
1da177e4 | 65 | |
69664cf1 DH |
66 | if (!user->uid_keyring) { |
67 | /* get the UID-specific keyring | |
68 | * - there may be one in existence already as it may have been | |
69 | * pinned by a session, but the user_struct pointing to it | |
70 | * may have been destroyed by setuid */ | |
9a56c2db | 71 | sprintf(buf, "_uid.%u", uid); |
69664cf1 DH |
72 | |
73 | uid_keyring = find_keyring_by_name(buf, true); | |
74 | if (IS_ERR(uid_keyring)) { | |
9a56c2db | 75 | uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID, |
d84f4f99 | 76 | cred, KEY_ALLOC_IN_QUOTA, |
69664cf1 DH |
77 | NULL); |
78 | if (IS_ERR(uid_keyring)) { | |
79 | ret = PTR_ERR(uid_keyring); | |
80 | goto error; | |
81 | } | |
82 | } | |
83 | ||
84 | /* get a default session keyring (which might also exist | |
85 | * already) */ | |
9a56c2db | 86 | sprintf(buf, "_uid_ses.%u", uid); |
69664cf1 DH |
87 | |
88 | session_keyring = find_keyring_by_name(buf, true); | |
89 | if (IS_ERR(session_keyring)) { | |
90 | session_keyring = | |
9a56c2db | 91 | keyring_alloc(buf, user->uid, INVALID_GID, |
d84f4f99 | 92 | cred, KEY_ALLOC_IN_QUOTA, NULL); |
69664cf1 DH |
93 | if (IS_ERR(session_keyring)) { |
94 | ret = PTR_ERR(session_keyring); | |
95 | goto error_release; | |
96 | } | |
97 | ||
98 | /* we install a link from the user session keyring to | |
99 | * the user keyring */ | |
100 | ret = key_link(session_keyring, uid_keyring); | |
101 | if (ret < 0) | |
102 | goto error_release_both; | |
103 | } | |
104 | ||
105 | /* install the keyrings */ | |
106 | user->uid_keyring = uid_keyring; | |
107 | user->session_keyring = session_keyring; | |
1da177e4 LT |
108 | } |
109 | ||
69664cf1 DH |
110 | mutex_unlock(&key_user_keyring_mutex); |
111 | kleave(" = 0"); | |
112 | return 0; | |
1da177e4 | 113 | |
69664cf1 DH |
114 | error_release_both: |
115 | key_put(session_keyring); | |
116 | error_release: | |
117 | key_put(uid_keyring); | |
664cceb0 | 118 | error: |
69664cf1 DH |
119 | mutex_unlock(&key_user_keyring_mutex); |
120 | kleave(" = %d", ret); | |
1da177e4 | 121 | return ret; |
69664cf1 | 122 | } |
1da177e4 | 123 | |
1da177e4 | 124 | /* |
973c9f4f DH |
125 | * Install a fresh thread keyring directly to new credentials. This keyring is |
126 | * allowed to overrun the quota. | |
1da177e4 | 127 | */ |
d84f4f99 | 128 | int install_thread_keyring_to_cred(struct cred *new) |
1da177e4 | 129 | { |
d84f4f99 | 130 | struct key *keyring; |
1da177e4 | 131 | |
d84f4f99 DH |
132 | keyring = keyring_alloc("_tid", new->uid, new->gid, new, |
133 | KEY_ALLOC_QUOTA_OVERRUN, NULL); | |
134 | if (IS_ERR(keyring)) | |
135 | return PTR_ERR(keyring); | |
1da177e4 | 136 | |
d84f4f99 DH |
137 | new->thread_keyring = keyring; |
138 | return 0; | |
139 | } | |
1da177e4 | 140 | |
1da177e4 | 141 | /* |
973c9f4f | 142 | * Install a fresh thread keyring, discarding the old one. |
1da177e4 | 143 | */ |
d84f4f99 | 144 | static int install_thread_keyring(void) |
1da177e4 | 145 | { |
d84f4f99 | 146 | struct cred *new; |
1da177e4 LT |
147 | int ret; |
148 | ||
d84f4f99 DH |
149 | new = prepare_creds(); |
150 | if (!new) | |
151 | return -ENOMEM; | |
1da177e4 | 152 | |
d84f4f99 DH |
153 | BUG_ON(new->thread_keyring); |
154 | ||
155 | ret = install_thread_keyring_to_cred(new); | |
156 | if (ret < 0) { | |
157 | abort_creds(new); | |
158 | return ret; | |
1da177e4 LT |
159 | } |
160 | ||
d84f4f99 DH |
161 | return commit_creds(new); |
162 | } | |
1da177e4 | 163 | |
d84f4f99 | 164 | /* |
973c9f4f DH |
165 | * Install a process keyring directly to a credentials struct. |
166 | * | |
167 | * Returns -EEXIST if there was already a process keyring, 0 if one installed, | |
168 | * and other value on any other error | |
d84f4f99 DH |
169 | */ |
170 | int install_process_keyring_to_cred(struct cred *new) | |
171 | { | |
172 | struct key *keyring; | |
173 | int ret; | |
1da177e4 | 174 | |
d84f4f99 DH |
175 | if (new->tgcred->process_keyring) |
176 | return -EEXIST; | |
177 | ||
178 | keyring = keyring_alloc("_pid", new->uid, new->gid, | |
179 | new, KEY_ALLOC_QUOTA_OVERRUN, NULL); | |
180 | if (IS_ERR(keyring)) | |
181 | return PTR_ERR(keyring); | |
182 | ||
183 | spin_lock_irq(&new->tgcred->lock); | |
184 | if (!new->tgcred->process_keyring) { | |
185 | new->tgcred->process_keyring = keyring; | |
186 | keyring = NULL; | |
187 | ret = 0; | |
188 | } else { | |
189 | ret = -EEXIST; | |
190 | } | |
191 | spin_unlock_irq(&new->tgcred->lock); | |
192 | key_put(keyring); | |
1da177e4 | 193 | return ret; |
d84f4f99 | 194 | } |
1da177e4 | 195 | |
1da177e4 | 196 | /* |
973c9f4f DH |
197 | * Make sure a process keyring is installed for the current process. The |
198 | * existing process keyring is not replaced. | |
199 | * | |
200 | * Returns 0 if there is a process keyring by the end of this function, some | |
201 | * error otherwise. | |
1da177e4 | 202 | */ |
d84f4f99 | 203 | static int install_process_keyring(void) |
1da177e4 | 204 | { |
d84f4f99 | 205 | struct cred *new; |
1da177e4 LT |
206 | int ret; |
207 | ||
d84f4f99 DH |
208 | new = prepare_creds(); |
209 | if (!new) | |
210 | return -ENOMEM; | |
1da177e4 | 211 | |
d84f4f99 DH |
212 | ret = install_process_keyring_to_cred(new); |
213 | if (ret < 0) { | |
214 | abort_creds(new); | |
27d63798 | 215 | return ret != -EEXIST ? ret : 0; |
1da177e4 LT |
216 | } |
217 | ||
d84f4f99 DH |
218 | return commit_creds(new); |
219 | } | |
1da177e4 | 220 | |
1da177e4 | 221 | /* |
973c9f4f | 222 | * Install a session keyring directly to a credentials struct. |
1da177e4 | 223 | */ |
685bfd2c | 224 | int install_session_keyring_to_cred(struct cred *cred, struct key *keyring) |
1da177e4 | 225 | { |
7e047ef5 | 226 | unsigned long flags; |
1da177e4 | 227 | struct key *old; |
1a26feb9 DH |
228 | |
229 | might_sleep(); | |
1da177e4 LT |
230 | |
231 | /* create an empty session keyring */ | |
232 | if (!keyring) { | |
7e047ef5 | 233 | flags = KEY_ALLOC_QUOTA_OVERRUN; |
d84f4f99 | 234 | if (cred->tgcred->session_keyring) |
7e047ef5 DH |
235 | flags = KEY_ALLOC_IN_QUOTA; |
236 | ||
d84f4f99 DH |
237 | keyring = keyring_alloc("_ses", cred->uid, cred->gid, |
238 | cred, flags, NULL); | |
1a26feb9 DH |
239 | if (IS_ERR(keyring)) |
240 | return PTR_ERR(keyring); | |
d84f4f99 | 241 | } else { |
1da177e4 LT |
242 | atomic_inc(&keyring->usage); |
243 | } | |
244 | ||
245 | /* install the keyring */ | |
d84f4f99 DH |
246 | spin_lock_irq(&cred->tgcred->lock); |
247 | old = cred->tgcred->session_keyring; | |
248 | rcu_assign_pointer(cred->tgcred->session_keyring, keyring); | |
249 | spin_unlock_irq(&cred->tgcred->lock); | |
1da177e4 | 250 | |
1a26feb9 DH |
251 | /* we're using RCU on the pointer, but there's no point synchronising |
252 | * on it if it didn't previously point to anything */ | |
253 | if (old) { | |
254 | synchronize_rcu(); | |
255 | key_put(old); | |
256 | } | |
1da177e4 | 257 | |
1a26feb9 | 258 | return 0; |
d84f4f99 | 259 | } |
1da177e4 | 260 | |
1da177e4 | 261 | /* |
973c9f4f DH |
262 | * Install a session keyring, discarding the old one. If a keyring is not |
263 | * supplied, an empty one is invented. | |
1da177e4 | 264 | */ |
d84f4f99 | 265 | static int install_session_keyring(struct key *keyring) |
1da177e4 | 266 | { |
d84f4f99 DH |
267 | struct cred *new; |
268 | int ret; | |
1da177e4 | 269 | |
d84f4f99 DH |
270 | new = prepare_creds(); |
271 | if (!new) | |
272 | return -ENOMEM; | |
1da177e4 | 273 | |
99599537 | 274 | ret = install_session_keyring_to_cred(new, keyring); |
d84f4f99 DH |
275 | if (ret < 0) { |
276 | abort_creds(new); | |
277 | return ret; | |
278 | } | |
1da177e4 | 279 | |
d84f4f99 DH |
280 | return commit_creds(new); |
281 | } | |
1da177e4 | 282 | |
1da177e4 | 283 | /* |
973c9f4f | 284 | * Handle the fsuid changing. |
1da177e4 LT |
285 | */ |
286 | void key_fsuid_changed(struct task_struct *tsk) | |
287 | { | |
288 | /* update the ownership of the thread keyring */ | |
b6dff3ec DH |
289 | BUG_ON(!tsk->cred); |
290 | if (tsk->cred->thread_keyring) { | |
291 | down_write(&tsk->cred->thread_keyring->sem); | |
292 | tsk->cred->thread_keyring->uid = tsk->cred->fsuid; | |
293 | up_write(&tsk->cred->thread_keyring->sem); | |
1da177e4 | 294 | } |
a8b17ed0 | 295 | } |
1da177e4 | 296 | |
1da177e4 | 297 | /* |
973c9f4f | 298 | * Handle the fsgid changing. |
1da177e4 LT |
299 | */ |
300 | void key_fsgid_changed(struct task_struct *tsk) | |
301 | { | |
302 | /* update the ownership of the thread keyring */ | |
b6dff3ec DH |
303 | BUG_ON(!tsk->cred); |
304 | if (tsk->cred->thread_keyring) { | |
305 | down_write(&tsk->cred->thread_keyring->sem); | |
306 | tsk->cred->thread_keyring->gid = tsk->cred->fsgid; | |
307 | up_write(&tsk->cred->thread_keyring->sem); | |
1da177e4 | 308 | } |
a8b17ed0 | 309 | } |
1da177e4 | 310 | |
1da177e4 | 311 | /* |
973c9f4f DH |
312 | * Search the process keyrings attached to the supplied cred for the first |
313 | * matching key. | |
314 | * | |
315 | * The search criteria are the type and the match function. The description is | |
316 | * given to the match function as a parameter, but doesn't otherwise influence | |
317 | * the search. Typically the match function will compare the description | |
318 | * parameter to the key's description. | |
319 | * | |
320 | * This can only search keyrings that grant Search permission to the supplied | |
321 | * credentials. Keyrings linked to searched keyrings will also be searched if | |
322 | * they grant Search permission too. Keys can only be found if they grant | |
323 | * Search permission to the credentials. | |
324 | * | |
325 | * Returns a pointer to the key with the key usage count incremented if | |
326 | * successful, -EAGAIN if we didn't find any matching key or -ENOKEY if we only | |
327 | * matched negative keys. | |
328 | * | |
329 | * In the case of a successful return, the possession attribute is set on the | |
330 | * returned key reference. | |
1da177e4 | 331 | */ |
927942aa DH |
332 | key_ref_t search_my_process_keyrings(struct key_type *type, |
333 | const void *description, | |
334 | key_match_func_t match, | |
78b7280c | 335 | bool no_state_check, |
927942aa | 336 | const struct cred *cred) |
1da177e4 | 337 | { |
b5f545c8 | 338 | key_ref_t key_ref, ret, err; |
1da177e4 LT |
339 | |
340 | /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were | |
341 | * searchable, but we failed to find a key or we found a negative key; | |
342 | * otherwise we want to return a sample error (probably -EACCES) if | |
343 | * none of the keyrings were searchable | |
344 | * | |
345 | * in terms of priority: success > -ENOKEY > -EAGAIN > other error | |
346 | */ | |
664cceb0 | 347 | key_ref = NULL; |
1da177e4 LT |
348 | ret = NULL; |
349 | err = ERR_PTR(-EAGAIN); | |
350 | ||
351 | /* search the thread keyring first */ | |
c69e8d9c | 352 | if (cred->thread_keyring) { |
664cceb0 | 353 | key_ref = keyring_search_aux( |
c69e8d9c | 354 | make_key_ref(cred->thread_keyring, 1), |
78b7280c | 355 | cred, type, description, match, no_state_check); |
664cceb0 | 356 | if (!IS_ERR(key_ref)) |
1da177e4 LT |
357 | goto found; |
358 | ||
664cceb0 | 359 | switch (PTR_ERR(key_ref)) { |
1da177e4 LT |
360 | case -EAGAIN: /* no key */ |
361 | if (ret) | |
362 | break; | |
363 | case -ENOKEY: /* negative key */ | |
664cceb0 | 364 | ret = key_ref; |
1da177e4 LT |
365 | break; |
366 | default: | |
664cceb0 | 367 | err = key_ref; |
1da177e4 LT |
368 | break; |
369 | } | |
370 | } | |
371 | ||
372 | /* search the process keyring second */ | |
bb952bb9 | 373 | if (cred->tgcred->process_keyring) { |
664cceb0 | 374 | key_ref = keyring_search_aux( |
bb952bb9 | 375 | make_key_ref(cred->tgcred->process_keyring, 1), |
78b7280c | 376 | cred, type, description, match, no_state_check); |
664cceb0 | 377 | if (!IS_ERR(key_ref)) |
1da177e4 LT |
378 | goto found; |
379 | ||
664cceb0 | 380 | switch (PTR_ERR(key_ref)) { |
1da177e4 LT |
381 | case -EAGAIN: /* no key */ |
382 | if (ret) | |
383 | break; | |
384 | case -ENOKEY: /* negative key */ | |
664cceb0 | 385 | ret = key_ref; |
1da177e4 LT |
386 | break; |
387 | default: | |
664cceb0 | 388 | err = key_ref; |
1da177e4 LT |
389 | break; |
390 | } | |
391 | } | |
392 | ||
3e30148c | 393 | /* search the session keyring */ |
bb952bb9 | 394 | if (cred->tgcred->session_keyring) { |
8589b4e0 | 395 | rcu_read_lock(); |
664cceb0 DH |
396 | key_ref = keyring_search_aux( |
397 | make_key_ref(rcu_dereference( | |
bb952bb9 | 398 | cred->tgcred->session_keyring), |
664cceb0 | 399 | 1), |
78b7280c | 400 | cred, type, description, match, no_state_check); |
8589b4e0 | 401 | rcu_read_unlock(); |
3e30148c | 402 | |
664cceb0 | 403 | if (!IS_ERR(key_ref)) |
3e30148c DH |
404 | goto found; |
405 | ||
664cceb0 | 406 | switch (PTR_ERR(key_ref)) { |
3e30148c DH |
407 | case -EAGAIN: /* no key */ |
408 | if (ret) | |
409 | break; | |
410 | case -ENOKEY: /* negative key */ | |
664cceb0 | 411 | ret = key_ref; |
3e30148c DH |
412 | break; |
413 | default: | |
664cceb0 | 414 | err = key_ref; |
3e30148c DH |
415 | break; |
416 | } | |
b5f545c8 DH |
417 | } |
418 | /* or search the user-session keyring */ | |
c69e8d9c | 419 | else if (cred->user->session_keyring) { |
b5f545c8 | 420 | key_ref = keyring_search_aux( |
c69e8d9c | 421 | make_key_ref(cred->user->session_keyring, 1), |
78b7280c | 422 | cred, type, description, match, no_state_check); |
664cceb0 | 423 | if (!IS_ERR(key_ref)) |
3e30148c DH |
424 | goto found; |
425 | ||
664cceb0 | 426 | switch (PTR_ERR(key_ref)) { |
3e30148c DH |
427 | case -EAGAIN: /* no key */ |
428 | if (ret) | |
429 | break; | |
430 | case -ENOKEY: /* negative key */ | |
664cceb0 | 431 | ret = key_ref; |
3e30148c DH |
432 | break; |
433 | default: | |
664cceb0 | 434 | err = key_ref; |
3e30148c DH |
435 | break; |
436 | } | |
8589b4e0 | 437 | } |
b5f545c8 | 438 | |
927942aa DH |
439 | /* no key - decide on the error we're going to go for */ |
440 | key_ref = ret ? ret : err; | |
441 | ||
442 | found: | |
443 | return key_ref; | |
444 | } | |
445 | ||
927942aa | 446 | /* |
973c9f4f DH |
447 | * Search the process keyrings attached to the supplied cred for the first |
448 | * matching key in the manner of search_my_process_keyrings(), but also search | |
449 | * the keys attached to the assumed authorisation key using its credentials if | |
450 | * one is available. | |
451 | * | |
452 | * Return same as search_my_process_keyrings(). | |
927942aa DH |
453 | */ |
454 | key_ref_t search_process_keyrings(struct key_type *type, | |
455 | const void *description, | |
456 | key_match_func_t match, | |
457 | const struct cred *cred) | |
458 | { | |
459 | struct request_key_auth *rka; | |
460 | key_ref_t key_ref, ret = ERR_PTR(-EACCES), err; | |
461 | ||
462 | might_sleep(); | |
463 | ||
78b7280c DH |
464 | key_ref = search_my_process_keyrings(type, description, match, |
465 | false, cred); | |
927942aa DH |
466 | if (!IS_ERR(key_ref)) |
467 | goto found; | |
468 | err = key_ref; | |
469 | ||
b5f545c8 DH |
470 | /* if this process has an instantiation authorisation key, then we also |
471 | * search the keyrings of the process mentioned there | |
472 | * - we don't permit access to request_key auth keys via this method | |
473 | */ | |
c69e8d9c | 474 | if (cred->request_key_auth && |
d84f4f99 | 475 | cred == current_cred() && |
04c567d9 | 476 | type != &key_type_request_key_auth |
b5f545c8 | 477 | ) { |
04c567d9 | 478 | /* defend against the auth key being revoked */ |
c69e8d9c | 479 | down_read(&cred->request_key_auth->sem); |
b5f545c8 | 480 | |
c69e8d9c DH |
481 | if (key_validate(cred->request_key_auth) == 0) { |
482 | rka = cred->request_key_auth->payload.data; | |
b5f545c8 | 483 | |
04c567d9 | 484 | key_ref = search_process_keyrings(type, description, |
d84f4f99 | 485 | match, rka->cred); |
1da177e4 | 486 | |
c69e8d9c | 487 | up_read(&cred->request_key_auth->sem); |
04c567d9 DH |
488 | |
489 | if (!IS_ERR(key_ref)) | |
490 | goto found; | |
491 | ||
927942aa | 492 | ret = key_ref; |
04c567d9 | 493 | } else { |
c69e8d9c | 494 | up_read(&cred->request_key_auth->sem); |
3e30148c | 495 | } |
1da177e4 LT |
496 | } |
497 | ||
498 | /* no key - decide on the error we're going to go for */ | |
927942aa DH |
499 | if (err == ERR_PTR(-ENOKEY) || ret == ERR_PTR(-ENOKEY)) |
500 | key_ref = ERR_PTR(-ENOKEY); | |
501 | else if (err == ERR_PTR(-EACCES)) | |
502 | key_ref = ret; | |
503 | else | |
504 | key_ref = err; | |
1da177e4 | 505 | |
3e30148c | 506 | found: |
664cceb0 | 507 | return key_ref; |
a8b17ed0 | 508 | } |
1da177e4 | 509 | |
664cceb0 | 510 | /* |
973c9f4f | 511 | * See if the key we're looking at is the target key. |
664cceb0 | 512 | */ |
927942aa | 513 | int lookup_user_key_possessed(const struct key *key, const void *target) |
664cceb0 DH |
514 | { |
515 | return key == target; | |
a8b17ed0 | 516 | } |
664cceb0 | 517 | |
1da177e4 | 518 | /* |
973c9f4f DH |
519 | * Look up a key ID given us by userspace with a given permissions mask to get |
520 | * the key it refers to. | |
521 | * | |
522 | * Flags can be passed to request that special keyrings be created if referred | |
523 | * to directly, to permit partially constructed keys to be found and to skip | |
524 | * validity and permission checks on the found key. | |
525 | * | |
526 | * Returns a pointer to the key with an incremented usage count if successful; | |
527 | * -EINVAL if the key ID is invalid; -ENOKEY if the key ID does not correspond | |
528 | * to a key or the best found key was a negative key; -EKEYREVOKED or | |
529 | * -EKEYEXPIRED if the best found key was revoked or expired; -EACCES if the | |
530 | * found key doesn't grant the requested permit or the LSM denied access to it; | |
531 | * or -ENOMEM if a special keyring couldn't be created. | |
532 | * | |
533 | * In the case of a successful return, the possession attribute is set on the | |
534 | * returned key reference. | |
1da177e4 | 535 | */ |
5593122e | 536 | key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, |
8bbf4976 | 537 | key_perm_t perm) |
1da177e4 | 538 | { |
8bbf4976 | 539 | struct request_key_auth *rka; |
d84f4f99 | 540 | const struct cred *cred; |
1da177e4 | 541 | struct key *key; |
b6dff3ec | 542 | key_ref_t key_ref, skey_ref; |
1da177e4 LT |
543 | int ret; |
544 | ||
bb952bb9 DH |
545 | try_again: |
546 | cred = get_current_cred(); | |
664cceb0 | 547 | key_ref = ERR_PTR(-ENOKEY); |
1da177e4 LT |
548 | |
549 | switch (id) { | |
550 | case KEY_SPEC_THREAD_KEYRING: | |
b6dff3ec | 551 | if (!cred->thread_keyring) { |
5593122e | 552 | if (!(lflags & KEY_LOOKUP_CREATE)) |
1da177e4 LT |
553 | goto error; |
554 | ||
8bbf4976 | 555 | ret = install_thread_keyring(); |
1da177e4 | 556 | if (ret < 0) { |
4d09ec0f | 557 | key_ref = ERR_PTR(ret); |
1da177e4 LT |
558 | goto error; |
559 | } | |
bb952bb9 | 560 | goto reget_creds; |
1da177e4 LT |
561 | } |
562 | ||
b6dff3ec | 563 | key = cred->thread_keyring; |
1da177e4 | 564 | atomic_inc(&key->usage); |
664cceb0 | 565 | key_ref = make_key_ref(key, 1); |
1da177e4 LT |
566 | break; |
567 | ||
568 | case KEY_SPEC_PROCESS_KEYRING: | |
bb952bb9 | 569 | if (!cred->tgcred->process_keyring) { |
5593122e | 570 | if (!(lflags & KEY_LOOKUP_CREATE)) |
1da177e4 LT |
571 | goto error; |
572 | ||
8bbf4976 | 573 | ret = install_process_keyring(); |
1da177e4 | 574 | if (ret < 0) { |
4d09ec0f | 575 | key_ref = ERR_PTR(ret); |
1da177e4 LT |
576 | goto error; |
577 | } | |
bb952bb9 | 578 | goto reget_creds; |
1da177e4 LT |
579 | } |
580 | ||
bb952bb9 | 581 | key = cred->tgcred->process_keyring; |
1da177e4 | 582 | atomic_inc(&key->usage); |
664cceb0 | 583 | key_ref = make_key_ref(key, 1); |
1da177e4 LT |
584 | break; |
585 | ||
586 | case KEY_SPEC_SESSION_KEYRING: | |
bb952bb9 | 587 | if (!cred->tgcred->session_keyring) { |
1da177e4 LT |
588 | /* always install a session keyring upon access if one |
589 | * doesn't exist yet */ | |
8bbf4976 | 590 | ret = install_user_keyrings(); |
69664cf1 DH |
591 | if (ret < 0) |
592 | goto error; | |
3ecf1b4f DH |
593 | if (lflags & KEY_LOOKUP_CREATE) |
594 | ret = join_session_keyring(NULL); | |
595 | else | |
596 | ret = install_session_keyring( | |
597 | cred->user->session_keyring); | |
d84f4f99 | 598 | |
1da177e4 LT |
599 | if (ret < 0) |
600 | goto error; | |
bb952bb9 | 601 | goto reget_creds; |
3ecf1b4f DH |
602 | } else if (cred->tgcred->session_keyring == |
603 | cred->user->session_keyring && | |
604 | lflags & KEY_LOOKUP_CREATE) { | |
605 | ret = join_session_keyring(NULL); | |
606 | if (ret < 0) | |
607 | goto error; | |
608 | goto reget_creds; | |
1da177e4 LT |
609 | } |
610 | ||
3e30148c | 611 | rcu_read_lock(); |
bb952bb9 | 612 | key = rcu_dereference(cred->tgcred->session_keyring); |
1da177e4 | 613 | atomic_inc(&key->usage); |
3e30148c | 614 | rcu_read_unlock(); |
664cceb0 | 615 | key_ref = make_key_ref(key, 1); |
1da177e4 LT |
616 | break; |
617 | ||
618 | case KEY_SPEC_USER_KEYRING: | |
b6dff3ec | 619 | if (!cred->user->uid_keyring) { |
8bbf4976 | 620 | ret = install_user_keyrings(); |
69664cf1 DH |
621 | if (ret < 0) |
622 | goto error; | |
623 | } | |
624 | ||
b6dff3ec | 625 | key = cred->user->uid_keyring; |
1da177e4 | 626 | atomic_inc(&key->usage); |
664cceb0 | 627 | key_ref = make_key_ref(key, 1); |
1da177e4 LT |
628 | break; |
629 | ||
630 | case KEY_SPEC_USER_SESSION_KEYRING: | |
b6dff3ec | 631 | if (!cred->user->session_keyring) { |
8bbf4976 | 632 | ret = install_user_keyrings(); |
69664cf1 DH |
633 | if (ret < 0) |
634 | goto error; | |
635 | } | |
636 | ||
b6dff3ec | 637 | key = cred->user->session_keyring; |
1da177e4 | 638 | atomic_inc(&key->usage); |
664cceb0 | 639 | key_ref = make_key_ref(key, 1); |
1da177e4 LT |
640 | break; |
641 | ||
642 | case KEY_SPEC_GROUP_KEYRING: | |
643 | /* group keyrings are not yet supported */ | |
4d09ec0f | 644 | key_ref = ERR_PTR(-EINVAL); |
1da177e4 LT |
645 | goto error; |
646 | ||
b5f545c8 | 647 | case KEY_SPEC_REQKEY_AUTH_KEY: |
b6dff3ec | 648 | key = cred->request_key_auth; |
b5f545c8 DH |
649 | if (!key) |
650 | goto error; | |
651 | ||
652 | atomic_inc(&key->usage); | |
653 | key_ref = make_key_ref(key, 1); | |
654 | break; | |
655 | ||
8bbf4976 | 656 | case KEY_SPEC_REQUESTOR_KEYRING: |
b6dff3ec | 657 | if (!cred->request_key_auth) |
8bbf4976 DH |
658 | goto error; |
659 | ||
b6dff3ec | 660 | down_read(&cred->request_key_auth->sem); |
f67dabbd DC |
661 | if (test_bit(KEY_FLAG_REVOKED, |
662 | &cred->request_key_auth->flags)) { | |
8bbf4976 DH |
663 | key_ref = ERR_PTR(-EKEYREVOKED); |
664 | key = NULL; | |
665 | } else { | |
b6dff3ec | 666 | rka = cred->request_key_auth->payload.data; |
8bbf4976 DH |
667 | key = rka->dest_keyring; |
668 | atomic_inc(&key->usage); | |
669 | } | |
b6dff3ec | 670 | up_read(&cred->request_key_auth->sem); |
8bbf4976 DH |
671 | if (!key) |
672 | goto error; | |
673 | key_ref = make_key_ref(key, 1); | |
674 | break; | |
675 | ||
1da177e4 | 676 | default: |
664cceb0 | 677 | key_ref = ERR_PTR(-EINVAL); |
1da177e4 LT |
678 | if (id < 1) |
679 | goto error; | |
680 | ||
681 | key = key_lookup(id); | |
664cceb0 | 682 | if (IS_ERR(key)) { |
e231c2ee | 683 | key_ref = ERR_CAST(key); |
1da177e4 | 684 | goto error; |
664cceb0 DH |
685 | } |
686 | ||
687 | key_ref = make_key_ref(key, 0); | |
688 | ||
689 | /* check to see if we possess the key */ | |
690 | skey_ref = search_process_keyrings(key->type, key, | |
691 | lookup_user_key_possessed, | |
d84f4f99 | 692 | cred); |
664cceb0 DH |
693 | |
694 | if (!IS_ERR(skey_ref)) { | |
695 | key_put(key); | |
696 | key_ref = skey_ref; | |
697 | } | |
698 | ||
1da177e4 LT |
699 | break; |
700 | } | |
701 | ||
5593122e DH |
702 | /* unlink does not use the nominated key in any way, so can skip all |
703 | * the permission checks as it is only concerned with the keyring */ | |
704 | if (lflags & KEY_LOOKUP_FOR_UNLINK) { | |
705 | ret = 0; | |
706 | goto error; | |
707 | } | |
708 | ||
709 | if (!(lflags & KEY_LOOKUP_PARTIAL)) { | |
76181c13 DH |
710 | ret = wait_for_key_construction(key, true); |
711 | switch (ret) { | |
712 | case -ERESTARTSYS: | |
713 | goto invalid_key; | |
714 | default: | |
715 | if (perm) | |
716 | goto invalid_key; | |
717 | case 0: | |
718 | break; | |
719 | } | |
720 | } else if (perm) { | |
1da177e4 LT |
721 | ret = key_validate(key); |
722 | if (ret < 0) | |
723 | goto invalid_key; | |
724 | } | |
725 | ||
726 | ret = -EIO; | |
5593122e DH |
727 | if (!(lflags & KEY_LOOKUP_PARTIAL) && |
728 | !test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) | |
1da177e4 LT |
729 | goto invalid_key; |
730 | ||
3e30148c | 731 | /* check the permissions */ |
d84f4f99 | 732 | ret = key_task_permission(key_ref, cred, perm); |
29db9190 | 733 | if (ret < 0) |
1da177e4 LT |
734 | goto invalid_key; |
735 | ||
31d5a79d DH |
736 | key->last_used_at = current_kernel_time().tv_sec; |
737 | ||
664cceb0 | 738 | error: |
bb952bb9 | 739 | put_cred(cred); |
664cceb0 | 740 | return key_ref; |
1da177e4 | 741 | |
664cceb0 DH |
742 | invalid_key: |
743 | key_ref_put(key_ref); | |
744 | key_ref = ERR_PTR(ret); | |
1da177e4 LT |
745 | goto error; |
746 | ||
bb952bb9 DH |
747 | /* if we attempted to install a keyring, then it may have caused new |
748 | * creds to be installed */ | |
749 | reget_creds: | |
750 | put_cred(cred); | |
751 | goto try_again; | |
a8b17ed0 | 752 | } |
bb952bb9 | 753 | |
1da177e4 | 754 | /* |
973c9f4f DH |
755 | * Join the named keyring as the session keyring if possible else attempt to |
756 | * create a new one of that name and join that. | |
757 | * | |
758 | * If the name is NULL, an empty anonymous keyring will be installed as the | |
759 | * session keyring. | |
760 | * | |
761 | * Named session keyrings are joined with a semaphore held to prevent the | |
762 | * keyrings from going away whilst the attempt is made to going them and also | |
763 | * to prevent a race in creating compatible session keyrings. | |
1da177e4 LT |
764 | */ |
765 | long join_session_keyring(const char *name) | |
766 | { | |
d84f4f99 DH |
767 | const struct cred *old; |
768 | struct cred *new; | |
1da177e4 | 769 | struct key *keyring; |
d84f4f99 DH |
770 | long ret, serial; |
771 | ||
772 | /* only permit this if there's a single thread in the thread group - | |
773 | * this avoids us having to adjust the creds on all threads and risking | |
774 | * ENOMEM */ | |
5bb459bb | 775 | if (!current_is_single_threaded()) |
d84f4f99 DH |
776 | return -EMLINK; |
777 | ||
778 | new = prepare_creds(); | |
779 | if (!new) | |
780 | return -ENOMEM; | |
781 | old = current_cred(); | |
1da177e4 LT |
782 | |
783 | /* if no name is provided, install an anonymous keyring */ | |
784 | if (!name) { | |
d84f4f99 | 785 | ret = install_session_keyring_to_cred(new, NULL); |
1da177e4 LT |
786 | if (ret < 0) |
787 | goto error; | |
788 | ||
d84f4f99 DH |
789 | serial = new->tgcred->session_keyring->serial; |
790 | ret = commit_creds(new); | |
791 | if (ret == 0) | |
792 | ret = serial; | |
793 | goto okay; | |
1da177e4 LT |
794 | } |
795 | ||
796 | /* allow the user to join or create a named keyring */ | |
bb003079 | 797 | mutex_lock(&key_session_mutex); |
1da177e4 LT |
798 | |
799 | /* look for an existing keyring of this name */ | |
69664cf1 | 800 | keyring = find_keyring_by_name(name, false); |
1da177e4 LT |
801 | if (PTR_ERR(keyring) == -ENOKEY) { |
802 | /* not found - try and create a new one */ | |
d84f4f99 | 803 | keyring = keyring_alloc(name, old->uid, old->gid, old, |
7e047ef5 | 804 | KEY_ALLOC_IN_QUOTA, NULL); |
1da177e4 LT |
805 | if (IS_ERR(keyring)) { |
806 | ret = PTR_ERR(keyring); | |
bcf945d3 | 807 | goto error2; |
1da177e4 | 808 | } |
d84f4f99 | 809 | } else if (IS_ERR(keyring)) { |
1da177e4 LT |
810 | ret = PTR_ERR(keyring); |
811 | goto error2; | |
812 | } | |
813 | ||
814 | /* we've got a keyring - now to install it */ | |
d84f4f99 | 815 | ret = install_session_keyring_to_cred(new, keyring); |
1da177e4 LT |
816 | if (ret < 0) |
817 | goto error2; | |
818 | ||
d84f4f99 DH |
819 | commit_creds(new); |
820 | mutex_unlock(&key_session_mutex); | |
821 | ||
1da177e4 LT |
822 | ret = keyring->serial; |
823 | key_put(keyring); | |
d84f4f99 DH |
824 | okay: |
825 | return ret; | |
1da177e4 | 826 | |
664cceb0 | 827 | error2: |
bb003079 | 828 | mutex_unlock(&key_session_mutex); |
664cceb0 | 829 | error: |
d84f4f99 | 830 | abort_creds(new); |
1da177e4 | 831 | return ret; |
d84f4f99 | 832 | } |
ee18d64c DH |
833 | |
834 | /* | |
973c9f4f DH |
835 | * Replace a process's session keyring on behalf of one of its children when |
836 | * the target process is about to resume userspace execution. | |
ee18d64c | 837 | */ |
67d12145 | 838 | void key_change_session_keyring(struct callback_head *twork) |
ee18d64c | 839 | { |
413cd3d9 | 840 | const struct cred *old = current_cred(); |
67d12145 | 841 | struct cred *new = container_of(twork, struct cred, rcu); |
ee18d64c | 842 | |
413cd3d9 ON |
843 | if (unlikely(current->flags & PF_EXITING)) { |
844 | put_cred(new); | |
ee18d64c | 845 | return; |
413cd3d9 | 846 | } |
ee18d64c | 847 | |
ee18d64c DH |
848 | new-> uid = old-> uid; |
849 | new-> euid = old-> euid; | |
850 | new-> suid = old-> suid; | |
851 | new->fsuid = old->fsuid; | |
852 | new-> gid = old-> gid; | |
853 | new-> egid = old-> egid; | |
854 | new-> sgid = old-> sgid; | |
855 | new->fsgid = old->fsgid; | |
856 | new->user = get_uid(old->user); | |
0093ccb6 | 857 | new->user_ns = get_user_ns(new->user_ns); |
ee18d64c DH |
858 | new->group_info = get_group_info(old->group_info); |
859 | ||
860 | new->securebits = old->securebits; | |
861 | new->cap_inheritable = old->cap_inheritable; | |
862 | new->cap_permitted = old->cap_permitted; | |
863 | new->cap_effective = old->cap_effective; | |
864 | new->cap_bset = old->cap_bset; | |
865 | ||
866 | new->jit_keyring = old->jit_keyring; | |
867 | new->thread_keyring = key_get(old->thread_keyring); | |
868 | new->tgcred->tgid = old->tgcred->tgid; | |
869 | new->tgcred->process_keyring = key_get(old->tgcred->process_keyring); | |
870 | ||
871 | security_transfer_creds(new, old); | |
872 | ||
873 | commit_creds(new); | |
874 | } |